Re: TLS-PSK: making a http(s) lookup call from inside haproxy code

2017-02-23 Thread Braňo Žarnovičan 
Thanks for the insight from both of you..

I have spent couple of hours browsing through the code and realized
that even if async io would be possible in PSK callback, I would have
really hard time wrap my head around it. The learning curve is just
too steep (not to mention post-implementation maintenance of that
patch). Right now, the solution to replace the file and reload haproxy
sounds more feasible.

> BTW, in the thread about the TLS-PSK support, it was suggested to use a map
> to handle identities. When it will be done, it will be possible to
> dynamically update the map.

I will be following haproxy development for any news in this regard.

Thanks,

Brano Zarnovican

Re: TLS-PSK: making a http(s) lookup call from inside haproxy code

2017-02-23 Thread Christopher Faulet 

Le 22/02/2017 à 16:02, thierry.fourn...@arpalert.org a écrit :

On Wed, 22 Feb 2017 15:43:36 +0100
Braňo Žarnovičan  wrote:


Options:

(a) implement lookup call in C

I should be able to whip up simple http 1.0 request via low-level
socket programming. However, I would like some more, fancier features
like https, persistent-connections, basic-auth, handle timeouts, etc.
Even with the simple socket code I'm not sure, how will that play with
haproxy's event-driven nature. I would appreciate if someone could
point me to an example where haproxy is doing something similar
already.



Hi, there are no way to implement easyly http request from haproxy. If
you are looking for an example, you can look the code of SPOE, the
stats page, stats CLI or the Lua code for "core.socket".

The idea is to create a client applet and use an internal proxy to
process connection and the data exchange and the SSL. The HTTP protocol
as client must be implemented in our side.



I just took a quick look at the patch of Nenad, but it seems impossible 
to do asynchronous processing in PSK callback functions. If I'm right, 
you cannot loop on these callbacks, waiting for the completion of an 
external lookup. So you should do your HTTP request synchronously, and 
you certainly do not want to do that ! Using an applet here, as Thierry 
suggested, will not help you.






(b) integrate it with Lua

Lua sounds like a better option for writing custom code to HAproxy.
However, I'm afraid that I wouldn't be able to hook it to the TLS
handshake itself (that stage is too early in the process). Seems, that
it's not a good use-case for Lua.



I confirm, you cant have a hook in the https, and you cant configure
the https parameters. Maybe in a fture version, for now, I'm waiting
some feedback about the actual process.

An other way is to use the new SPOE protocol to forward some data at
your own service which will process SSL. Look for an exemple of SPEO
client ins the directory "contrib/spoa_example".



The SPOE (Stream Processing Offload Engine), as its name said, must be 
used to offload processing on streams. So, it cannot be used during the 
SSL handshake, because there is not yet stream at this step. This is not 
a limitation of the SPOE in itself, but of the filters API. There is no 
hook to handle TCP/SSL connections creation (not yet).


BTW, in the thread about the TLS-PSK support, it was suggested to use a 
map to handle identities. When it will be done, it will be possible to 
dynamically update the map.


--
Christopher Faulet

Re: TLS-PSK: making a http(s) lookup call from inside haproxy code

2017-02-22 Thread thierry . fournier 
On Wed, 22 Feb 2017 15:43:36 +0100
Braňo Žarnovičan  wrote:

> Hi,
> 
> a need to call an external http (preferably https) service from
> HAproxy code. What's the easiest way to achieve that ?
> 
> Context:
> I would like HAproxy to do TLS termination for non-http traffic
> (mqtt). The TLS cipher is PSK (pre-shared key). There was a patch in
> this mailing-list adding support for this cipher. In his patch, Nenad
> Merdanovic is loading : map from a configuration file.
> This is fine, if you have a static environment. I would like to hook
> this identity-to-key function to some external service.
> 
> // for TLS-PSK, you need to implement this function
> static int ssl_srv_psk_cb(SSL *ssl, char *identity, unsigned char
> *psk, unsigned int max_psk_len) {
> // for a given "identity" string, return his pre-shared key "psk"
> // make a https call here..
> }
> 
> // and register it for OpenSSL as call-back
> SSL_CTX_set_psk_server_callback(ctx, ssl_srv_psk_cb)
> 
> Options:
> 
> (a) implement lookup call in C
> 
> I should be able to whip up simple http 1.0 request via low-level
> socket programming. However, I would like some more, fancier features
> like https, persistent-connections, basic-auth, handle timeouts, etc.
> Even with the simple socket code I'm not sure, how will that play with
> haproxy's event-driven nature. I would appreciate if someone could
> point me to an example where haproxy is doing something similar
> already.


Hi, there are no way to implement easyly http request from haproxy. If
you are looking for an example, you can look the code of SPOE, the
stats page, stats CLI or the Lua code for "core.socket".

The idea is to create a client applet and use an internal proxy to
process connection and the data exchange and the SSL. The HTTP protocol
as client must be implemented in our side.


> (b) integrate it with Lua
> 
> Lua sounds like a better option for writing custom code to HAproxy.
> However, I'm afraid that I wouldn't be able to hook it to the TLS
> handshake itself (that stage is too early in the process). Seems, that
> it's not a good use-case for Lua.


I confirm, you cant have a hook in the https, and you cant configure
the https parameters. Maybe in a fture version, for now, I'm waiting
some feedback about the actual process.

An other way is to use the new SPOE protocol to forward some data at
your own service which will process SSL. Look for an exemple of SPEO
client ins the directory "contrib/spoa_example".

Thierry


> Any thoughts ? Examples of async IO https calls from C ?
> 
> Thanks,
> 
> Brano Zarnovican
>

TLS-PSK: making a http(s) lookup call from inside haproxy code

2017-02-22 Thread Braňo Žarnovičan 
Hi,

a need to call an external http (preferably https) service from
HAproxy code. What's the easiest way to achieve that ?

Context:
I would like HAproxy to do TLS termination for non-http traffic
(mqtt). The TLS cipher is PSK (pre-shared key). There was a patch in
this mailing-list adding support for this cipher. In his patch, Nenad
Merdanovic is loading : map from a configuration file.
This is fine, if you have a static environment. I would like to hook
this identity-to-key function to some external service.

// for TLS-PSK, you need to implement this function
static int ssl_srv_psk_cb(SSL *ssl, char *identity, unsigned char
*psk, unsigned int max_psk_len) {
// for a given "identity" string, return his pre-shared key "psk"
// make a https call here..
}

// and register it for OpenSSL as call-back
SSL_CTX_set_psk_server_callback(ctx, ssl_srv_psk_cb)

Options:

(a) implement lookup call in C

I should be able to whip up simple http 1.0 request via low-level
socket programming. However, I would like some more, fancier features
like https, persistent-connections, basic-auth, handle timeouts, etc.
Even with the simple socket code I'm not sure, how will that play with
haproxy's event-driven nature. I would appreciate if someone could
point me to an example where haproxy is doing something similar
already.

(b) integrate it with Lua

Lua sounds like a better option for writing custom code to HAproxy.
However, I'm afraid that I wouldn't be able to hook it to the TLS
handshake itself (that stage is too early in the process). Seems, that
it's not a good use-case for Lua.

Any thoughts ? Examples of async IO https calls from C ?

Thanks,

Brano Zarnovican